Cisco Firewall :: Pix515E 6.3.5 Capturing VPN Traffic On Inside INT
Nov 28, 2011
Quick question. I have a site - site tunnel that is up and running between a Pix 515E and a 3050 appliance.Tunnel is up and running but on the pix side I dont see traffic from a couple of subnets behind the inside interface.On the vpnallow access list there are no hits So I setup a capture on the inside interface to see if the packets is making it to the inside interface and nothing. There is some traffic making it thru the tunnel that would have to hit the inside int first and even that doesnt showup in the capture.
View 1 Replies
ADVERTISEMENT
Mar 19, 2013
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?
View 4 Replies
View Related
Dec 30, 2011
I am monitoring 2 or more source interfaces which are running 1G traffic on each interface. Destination is 10G interface.There are 2 kinds of traffic running through the source interfaces: icmp and regular IP traffic. I am only interested in capturing icmp traffic. How can I achieve my goal?I don’t have any vlan traffic at all. Router is c6500.
source (1G) destination (10G)
------------------------- Router --------------------------------------Linux
|
| source (1G)
|
|
View 1 Replies
View Related
Nov 21, 2011
I have configured SPAN session on 2960 switch, source port being a VLAN and destination being one of the fastethernet ports. All I see in the capture is control traffic (HSRP, RIP, Syslog, DNS..etc). However I dont see any real data traffic being captured. Below is how I have SPAN configured..
monitor session 1 source vlan <vlan_id> both
monitor session 1 destination interface fa0/42
View 1 Replies
View Related
Mar 22, 2012
I have configured Span port on our 4510. We have an application 5view server to monitor trafic connected to G9/17 Since we have changed the network connection from physical Giga port and add a Port-channel instead, we don't see any more trafic from the new Port-channel to G9/17
We have the configuration below on our 4510 :
monitor session 1 source interface Gi4/6
monitor session 1 source interface Po20
monitor session 1 filter vlan 311 - 312 , 375
monitor session 1 destination interface Gi9/17
From the commands show, we don't see the trafic duplication from the source to the destination port :
Port Source
4510-5567#sh int po20
Port-channel20 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0016.9de2.a818 (bia 0016.9de2.a818)
[Code].....
View 2 Replies
View Related
Dec 25, 2012
Most examples of NAT translation using an ASA 8.4 are based on servers within a DMZ. In my case it's not because the mailserver also functions as an data and Active Directory server for my local domain. If tried to config the ASA for a while now and throw it in the corner for a couple of months out of frustration. Now I got some time left during christmas break I decided to start again.My purpose is to NAT SMTP / POP traffic from the internet, trough the ASA to my (inside) server. This is what I got so far. With this config I'm unable to telnet the inside server (192.168.1.10) from a remote location.
ASA Version 8.4(3)!hostname ciscoasaenable password cE8UUNd encryptedpasswd 2KFQ.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.218 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network server1_smtphost 192.168.1.10object network server1_pop3host 192.168.1.10access-list outside_access_in extended
[code]....
I can ping 192.168.1.10 from the ASA CLI. I can Ping DNS 4.2.2.2 from the CLI (internet access). I can Telnet the server from the inside LAN, using: telnet 192.168.1.10 25.But I can't Telnet from an outside location using: Telnet 95.*.*.218 25 Because my server is on the Inside interface (diffenrent subnet) do I need an additional route?
View 5 Replies
View Related
Mar 2, 2011
I am setting up a pair of 5520 in A/S mode but the traffic from inside to outside seems blocked somehow.
asa01# sh run : Saved
ASA Version 8.3(1)
host name asa01
enable password LFJ8dTG1HExu/pWQ encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]......
Base on the above configuration, I still cannot ping or HTTP.
View 10 Replies
View Related
Nov 18, 2011
One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020
How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
-Host IP on inside network - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl
View 5 Replies
View Related
Jan 24, 2012
At present we are having a 4900 series switch where we are running one monitor session.Additionaly we are in need of capturing VLAN traffic and set the destination to 2 * GE ports , both are in the same switch.Due to the limitation of two monitor sessions per switch , we thought of putting the destination ports as port channel but it looks like it is not supported.
View 1 Replies
View Related
Aug 6, 2012
I am aware that the 3750 switches are not able to support Netflows, so I have created a SPAN port and spanning traffic from a specific port. I would like to create a seperate VLAN and trunk the traffic from the SPAN port down to the 6509 switch and then capture all the traffic for that VLAN on the 6509.
View 4 Replies
View Related
May 15, 2012
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
View 8 Replies
View Related
Nov 27, 2011
I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]
View 10 Replies
View Related
Nov 9, 2011
I trying to allow traffic between 2 inside interfaces with the same security level. VLAN1 and VLAN15. The are on different physical ports on the ASA. I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'. With this ASA version, I do not need NAT to allow this, correct?
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 1 Replies
View Related
Oct 13, 2012
I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
1. The Subnet of the main office (192.168.1.253)
2. A router (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
View 4 Replies
View Related
Jul 21, 2012
We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
here is output from our sys log:
SyslogID Source IP Dest IP Description
305006 172.18.22.3 portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
To give some clarification:
172.18.22.3 is one of our DNS servers
172.18.22.156 is a device we're experimenting with.
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
: Saved
:
ASA Version 7.2(3)
!
hostname [redacted]
[code].....
View 5 Replies
View Related
Apr 6, 2011
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies
View Related
Aug 21, 2011
I just made a move from a PIX 506 to an ASA 5540. I have a user that currently logs into a web portal and runs a job. It is now erroring out. When I run the test it gives me the following message:
Testing ports...
Port 1433: Failed
Port 1150: Success
Port 80: Success
Port 443: Success
One or more tests have failed
The computer we access this site from is on the inside network and the ACL says permit ip any any from the inside out so I am not sure why it is failing. Under the ASA Home screen I see the Top 10 Protected Servers under SYN Attack and it appears that the ASA thinks this is some sort of attack.
View 1 Replies
View Related
Oct 10, 2011
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
Below is a sanitized version of the config.
ASA Version 8.2(1)
!
hostname BOB
[Code].....
View 11 Replies
View Related
Jan 7, 2012
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]
View 10 Replies
View Related
Mar 12, 2013
I've an ASA 5505 connecting to a vdsl modem. The ASA is doing the PPPoE encapsulation. I've noticed the traffic amount on the outside interface is always twice the bandwidth it receives on its inside interface. I can't believe the PPP encapsulation is taking that much. Only two interfaces (inside and outside)
View 4 Replies
View Related
Apr 19, 2012
I got ASA 5510 with base license, can I block all Peer-2-Peer traffic from inside to outside.
ASA Giga 0/0 connected to ISP Router 2811
ASA Giga 0/1 connected to LAN switch 3560
View 3 Replies
View Related
Oct 9, 2011
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
View 7 Replies
View Related
Mar 27, 2013
I have a PIX 515E UR which I would like to activate the VPN-3DES-AES license. I did find a link to register the license, but after following the link and logging into my old CCO account i found that as I didn't have access to anything, so couldn't complete the procedure.Is there any way that I can get the license activated? I bought the unit from a Cisco partner quite some time ago, but never needed the 3DES license. Now I do.
View 3 Replies
View Related
Jun 27, 2012
I need configuring a newly reinstated PIX515E with IOS 6.3 to test the configuration of a load balancer.I would like to setup with two Inside interfaces (or simply two interfaces) for testing. I just need it to pass traffic (basically HTTP and HTTPS) between these two interfaces without using NAT.The older IOS is causing me some problems. I don't have an outside interface configured for Internet access,but trying to connect via IP address does't work either. I may be able to configure a second DNS server for the 192.168.12.X network for testing purposes if needed. I even tried to set the default route to the Interface of the production ASA's inside interface (3.1), but that did not work either.
View 6 Replies
View Related
Feb 12, 2012
I just added a PIX515E to my lab (since this is a lab, if I need to change IP address, that is not a problem)....I thought I configured it right, but I am not able to ping any of my other routers/PCs.I have EIGRP on the other three routers, but not sure if I configured it right on the PIX.The diagram below shows my current network topology....(right now the PIX is connected vai Ethernet 1 to the switch, not the router itself) [code]
View 13 Replies
View Related
Aug 28, 2011
I just bought a used PIX515e. It is running version 8.0(3) and ASDM 6.1.5 Because I do not know the history of the unit, how can I tell if the image used came from cisco and not some download site? I guess I should've thought about this before buying it but hindsight is...you know. Worse case is that the person who had it before me dl the software that was infected with a backdoor or something else. I don't have a service contract so I'm kinda stuck.
Can I download the image from the firewall flash and compare a MD5SUM?
View 12 Replies
View Related
Feb 16, 2012
We are planning to upgrade the PIX515e (128 MB, 16 MB flash) adaptive software from 7.2(4) to 8.0.3(ED). In our environment the two PIXes are working in active-standby mode and experiencing high memory utilization.
1) What are the bug fixes(like memory leak fix) and new configuration options in the 8.0.3(ED)?
2) Is there any issues to upgrade 7.2 to 8.0.3(ED)?
3) Is the upgrade to new version software fix the memory utilization issue?
View 1 Replies
View Related
Sep 8, 2012
why the ethernet 3,4,5 is not licensed here ?
View 3 Replies
View Related
Mar 17, 2012
i wounder why i'm getting such log message whenever i'm trying to reach my remote site: No translation group found for tcp src outside XXXX dst dmz ZZZZ, i have a Cisco PIX515E firewall and that message is captured there, the traffic is going through a VPN tunnel (the VPN are up on both ends)
View 2 Replies
View Related
Jun 28, 2012
We have two PIX515E ( 6.3), one is Primary( Active) and second one is Standby. after configuration of Secondary Firewall as Standby. getting problem.
1. Configuration part everything is fine
2.we have done failover text also .
Aster Some time , we are not able see Standby Firewall its going down .
View 2 Replies
View Related
Sep 15, 2011
I have a PIX515E. I need to create a vpn to my clients office. PIX is alerady having two VPN, among two one is a dynamic VPN to a dynamic IP of netgear router.
It has two gateway(public IP). Configuration in MH2001 is pretty simple. and i have completed it.I have also completed configuration in PIX using ASDM. But the VPN is not up till now.
[code]...
View 1 Replies
View Related
May 20, 2012
I am trying to veiw my PIX515e via the ASDM, but I am unable to...Can you review my config and make sure I have everything setup the way it is supposed to?
PIX Version 8.0(4)32
!
hostname pixfirewall
domain-name jkkcc.com
enable password DQucN59Njn0OjpJL encrypted
passwd DQucN59Njn0OjpJL encrypted(code)
View 1 Replies
View Related
May 20, 2012
I am trying to veiw my PIX515e via the ASDM, but I am unable to...Can you review my config and make sure I have everything setup the way it is supposed to?
PIX Version 8.0(4)32
!
hostname pixfirewall
[Code].....
View 3 Replies
View Related
